Concerns re: Same-Entity proposal from Dobbs, Brooks on 2003-10-22 (public-p3p-spec@w3.org from October 2003)

From: Dobbs, Brooks <bdobbs@doubleclick.net>
Date: Wed, 22 Oct 2003 15:31:48 -0400
To: "'public-p3p-spec@w3.org'" <public-p3p-spec@w3.org>
Message-ID: <D464F551A951ED4E804B9713B519E6C9029418AE@NYC-EX101.doubleclick.net>

Though I have enormous sympathy for the issue we are trying to resolve here.
I have some concerns with the mechanism suggested.

 

They are in no particular order:

1)       We need be careful between providing tools on which to make policy
and making policy itself.  While it may be a useful tool to have the ability
to state that collection covered by separate PRFs  is under the control of
the same entity, ultimately it is up to the UAs to decide how they want to
implement these tools.

2)       We use the term entity (and later in the agent relationship
proposal - "agent") without providing sufficient guidance on what this
means.  Rigo suggests there may be ways around this but I think they would
be unclear at best and difficult to explain to the end user.  This suggests
to me that point 1) may mean that UAs don't act on this tool if they had it.

3)       I think that there is an issue in that entity is today defined at
the policy level.  A PRF for a host can reference 2 distinct policies each
of 2 distinct entities (data controllers) - how then can there be meaning to
say at the PRF level this entity is the same as anything else?  The same as
which of the 2?

4)       There would need to be a mechanism to expire same entity
relationship.  This may be handled through the expiry in policy files but
there is currently no such mechanism for CPs

5)       Headers are limited practically by the number of same hosts that
they can declare.  Also declaring multiple "same-entity" relationships would
presumably require a validation against each full policy prior to accepting
the accuracy of the header declaration.  This is somewhat illogical, as, IF
we where to accept the performance hit of policy prefetching, then we would
have no need for CPs!  Jack rightly points out that we may only need to
validate against the PRF and not the policy - but I think that I may have
brought that into question with point 3).

6)       Again on the topic of CPs, once a same entity relationship has been
established between cookie (set by A) and site B from which an asset
appears, how they can a same entity relationship be established from a
subsequent replay on site C (provided that PRFs or policies) for all these
sites do indeed declare each other as same entity?

 

Sorry to be so elaborate here.  Again I am completely sympathetic - just not
sure we are there yet or if I see a clear way through the issues.

 

Thanks, 

Brooks 

 

 

Brooks Dobbs

Director of Privacy Technology

DoubleClick, Inc.

 

email: bdobbs@doubleclick.net <mailto:bdobbs@doubleclick.net> 

office: 404.995.6634

Received on Wednesday, 22 October 2003 15:31:54 UTC